Terrorists posing as JCAHO surveyors? Act now to make your security airtight
Terrorists posing as JCAHO surveyors? Act now to make your security airtight
Disturbing incidents at hospitals call for increased vigilance
It’s 3 a.m., and a well-dressed man and woman approach a clerk at a nurses’ station, official-looking clipboards in hand. They claim to be surveyors from the Joint Commission and demand to be taken to the pharmacy to inspect medication storage areas. In reality, they’re impostors seeking unauthorized access with motives unknown.
If this occurred at your organization, would these individuals be given carte blanche access? Or would they be asked for identification and told to wait while administration and security were notified?
Unfortunately, the above scenario is not just a hypothetical situation from a disaster drill or failure mode effect analysis. Hospitals in Boston, Detroit, and Los Angeles have reported that impostors posing as Joint Commission surveyors have attempted to gain access to their organizations. In every case, the impostors were questioned by security or hospital staff and left the premises. In addition, several other hospitals have reported individuals posing as federal law enforcement, inspectors, and physicians.
Both the number of incidents and the behavior of the impostors point to a chilling possibility. "I believe that the events described do not carry the common hallmarks of simple criminal activity," says Joe Cappiello, JCAHO’s vice president of accreditation field operations. "Maybe the criminals have become more sophisticated, but you cannot in good conscience rule out the possibility of terrorism. Sept. 11 broadened our thinking, and we would do ourselves a disservice to dismiss this possibility."
Although surveyor impostors aren’t unheard of, past incidents typically have involved an obvious motive, such as patients trying to get preferential treatment from staff. The recent incidents were markedly different, with individuals demanding information about the inner workings of hospitals and asking for access to specific areas.
"What raised our concern was the similarity of the incidents in L.A. and Boston and the fact that they took place at such an odd hour, and the impostors were asking odd questions — questions that I would not think criminals trying to case’ an organization would ask," Cappiello notes.
Alarmed JCAHO officials contacted the FBI and have met with federal anti-terrorism experts. "We became engaged with Homeland Defense and other federal agencies when we reported the impostor incidents to the FBI," he says. "Through interagency cooperation and coordination, other agencies were informed, and they followed up with us directly."
The Department of Homeland Security (DHS) is calling on U.S. hospitals to take steps to prepare for unauthorized individuals trying to gain access or obtain information.
The DHS advises encouraging staff to confront all suspicious individuals, maintain control over entrance points, monitor exit points, and review security procedures. (For a complete list of the DHS recommendations and JCAHO’s bulletin, go to www.jcaho.org. Click on "Accredited Organizations," "Security Notice Updates — To all Joint Commission accredited organizations.")
Hospitals always have been viewed as possible targets for terrorists. In a spate of other incidents, individuals have been caught taking unauthorized pictures of hospitals, asking for hospital blueprints, requesting information about the whereabouts of medicines that would be used in biological attacks, and inquiring about the institutions’ capacity for cardiac care, trauma care, and helicopter access.
"Terrorism has always been a real possibility, even before 9/11," stresses Ann Kobs, senior vice president for accreditation and standards at Cincinnati-based TUV Healthcare Specialists. "That is the purpose of having your emergency preparedness plan. Quality managers should work in concert with their environment-of-care experts to address this."
At Round Rock (TX) Medical Center, quality managers promptly shared the JCAHO and DHS alerts with administrators and directors. "We put the word out and had a meeting with our regulatory compliance committee," says Pamela R. Voss, FACHE, FASHRM, director of risk management. "We also made a printout of what the JCAHO ID badge looks like, front and back, from the web site."
Department heads were advised to instruct staff not to provide information or access to nonpublic areas of the hospital, especially sensitive areas such as pharmacy, radiology, laboratory, and engineering, to people without authorization from administration or risk management, she says.
If surveyors arrive during off-hours, staff are instructed to immediately contact the administrator and risk manager on call and contact security for assistance, Voss notes. "Any time inspectors from an external agency arrive, staff are to direct them to administration and risk management immediately. Our processes would be the same whether we thought it was terrorist activity or a prank by someone."
The Joint Commission now is recommending the following steps be taken when surveyors arrive at your facility:
- Ask to see their identification badges.
- Ask to see a letter addressed to the head of the organization signed by Russell Massaro, MD, JCAHO’s executive vice president of accreditation operations, explaining who they are and why they are there.
JCAHO surveyors follow a number of ground rules, even for unannounced inspections, Cappiello notes. "We do a number of unscheduled events every year, such as responding to a complaint, so there may be cause for us to arrive that the organization doesn’t know about. But our surveyors are instructed to present themselves and ask to be escorted to the CEO," he says. "They are not trying to talk to a low-level security person and go places on their own."
Surveyors always will announce themselves to administration and present a letter identifying themselves and the explicit reason why they are on-site unannounced. "Our surveyors wouldn’t be at all put off if someone said, I see your badge but I’d like another form of ID.’ That’s a reasonable thing to ask," Cappiello points out.
When surveyors arrive, they must be wearing JCAHO-issued ID badges and carrying the signed letters, Kobs adds. "Announced or unannounced, it is the organization’s right to request both of these items from the surveyors," she stresses.
To be clear about your rights, Kobs recommends reading the accreditation policies and procedures section of the JCAHO accreditation manual. "So many organizations jump right to the standards and agonize over a phrase or a word, but the meat of the survey process is rarely read or understood," she says. "This spells out an organization’s rights and responsibilities."
New problems with unannounced surveys?
Continuous preparation for unannounced surveys is in high gear at most organizations, with staff keenly aware that surveyors have the right to look at patient records, confidential documents, and inspect any area of the hospital they choose without prior notice. In addition, survey teams have been known to arrive in the middle of the night when investigating a complaint. Will impostor surveyors take advantage of this and attempt to convince someone working the night shift to provide immediate access to sensitive areas?
Not if procedures are followed consistently by all staff, Voss explains. During routine employee orientation, the procedure to follow when regulators from JCAHO or any other agency come into the facility is reviewed, she says. Even if surveyors were to arrive during off-hours, staff are instructed to follow the same procedures.
"It’s very unlikely that a surveyor from any agency would be there at 10 p.m. on a Sunday, and staff are to call security immediately," Voss says. "Remember that it’s our facility, and we have a duty to make sure that only people with appropriate credentials have access to the organization. Even police officers or law enforcement don’t have the right to just come in and take over. Just because they’re wearing a badge or suit doesn’t mean they can walk in and get whatever they want."
JCAHO surveys about 1,700 hospitals a year, with approximately 300 visits currently unannounced, but all surveys will be unannounced as of Jan. 1, 2006. Those plans are unchanged, Cappiello underscores.
"When we go to fully unannounced, it will present some other problems, but not insurmountable problems," he says. "First of all, unannounced means unannounced. We are not going to give organizations a day’s notice."
Unannounced surveys are not a new phenomenon in health care, stresses Patrice Spath, BA, RHIT, a health care quality specialist with Brown-Spath & Associates in Forest Grove, OR. "Several state health departments have been using this model for years for surveys of nursing homes as well as hospitals," she notes.
JCAHO surveyors still will arrive in the morning during normal business hours, except for the small number of surveys done for cause, driven by a complaint. "It may be that the best time for us to evaluate the environment in which that complaint took place is outside of normal business hours, such as, perhaps, an issue with staff on the night shift," Cappiello says. But even in those cases, surveyors still will follow the procedure of showing badges and a letter stating the reason they are there, he says.
In response to the incidents, JCAHO will give organizations a foolproof way to verify the identity of surveyors — by posting photos of the actual survey team. This information can be accessed on your organization’s secure, password-protected extranet site at midnight, central standard time, on the morning the team is to arrive. "So at 7 or 8 a.m. when the team arrives and you want to make sure, you can go and find their pictures and bios," says Cappiello. "We are working on the ability to do that in preparation for 2006. We are also looking at some internal things, including badges, to see what we can do to make it more difficult to impersonate someone from the JCAHO."
"This just goes to prove how important it is for everyone at the hospital to request the reason a person is in a certain area and, in many instances, the name of a person found wandering their hallways, regardless of how official they may look," says Kathleen A. Catalano, RN, JD, director of regulatory compliance services for Dallas-based PHNS Inc. "Any way in which the hospital quality manager can thwart threats would be warranted."
Staff at the hospitals handled the impostor situations very well, and no one was able to gain access, she notes. "I am extremely impressed with the security guards who asked for more information. When staff see someone who shouldn’t be there, they should question them, regardless of how busy they are," Catalano says. "It will make the impostor think twice and, as has been seen, throw them off their mission — whatever that may have been."
Individuals arrive at a hospital unannounced for a variety of reasons, Spath says. "They may want a copy of their medical record or bill, or to speak with someone in a particular department," she adds. "JCAHO surveyors are no different than any other customer who arrives at the hospital’s doorstep. You find out what they need and direct them to the appropriate place."
To assess your "customer validation" procedures, Spath recommends using a "secret shopper" approach. Ask someone who is not known to hospital staff to dress in professional attire and request confidential information such as a copy of a patient record, or have them say they are from the Joint Commission, she suggests.
"You can see how your validation process is actually working," Spath says. "No matter who the customer is or why they are at the hospital, we need to be certain that we have confirmed their identity. Just like we would not give someone a copy of a patient record without verifying their identity, so should we not begin the survey process without verifying the surveyors’ identity."
To develop a more secure customer validation process, solicit input from your health information management department or staff in the hospital nursery, Spath suggests. "They must deal with ID validation quite frequently," she says.
The incidents put a spotlight on a larger issue — that of overall security at your organization, Cappiello notes. "This is a really good time for hospitals to reflect on their internal security plans in general. If you’re going to do something to address this, you should use that energy in a bigger context." He suggests looking at access points, how your organization monitors who comes and goes, and your system for validating the identity of anyone claiming to be from an accrediting body or organization. "This event occurs, and we all get excited about impostors, but there are issues hospitals face every day with people trying to gain access who shouldn’t be there. There are all kinds of bizarre things that you have to be prepared for, such as identity theft and infant abductions."
Access points also are an important component of disaster preparedness, Cappiello adds. "For instance, if there is some sort of chemical spill or a biochemical weapon is used, you would need to limit access and lock down and secure the medical center. So this is not just an issue about impostors — it’s an issue about security in general and also about emergency preparedness."
In responding to this or similar incidents, your organization’s security systems are key, explains Michelle Pelling, MBA, RN, president of the Propell Group, a Newberg, OR-based health care consulting organization specializing in JCAHO compliance and performance measurement. "There is no reason these individuals should gain access."
Quality managers must advocate a thorough review of security management for their organization, Catalano says. "You should assist in creating a monitoring program to help keep security on its toes, and monitor so that corrections made can be recorded and reported as appropriate."
Surveyors will be testing organizations to make sure they have adequate systems to assure security of patients, visitors, and staff, and that there are systems to prevent this kind of thing from happening, Pelling says.
Surveyors will ask about your security system and how its effectiveness is tested, Cappiello notes. "They may ask what the hospital has done in response to the alerts."
Hospital leaders should put systems in place so that these individuals do not gain access and communicate these expectations to staff, Pelling emphasizes.
"We have alerted staff about this possible situation, but hospitals should be checking all after-hours visitors for security and safety reasons anyway," says Darlene Adams, RN, MSN, director of quality management at United Regional Healthcare System in Wichita Falls, TX. "Possibilities for impostors trying to gain access include obtaining information illegally, terrorism, and competitors looking for information." The organization allows security badge access only for all doors after business hours, with a security monitor by the main entrance. "We have visitors to the ED sign in after 9 p.m. with security," she says. "Anyone saying they are inspectors are held in security until the house supervisor and administrator on call are notified. If an impostor is identified, both police and JCAHO are to be notified."
Quality managers and safety officers should monitor compliance with security procedures through performance improvement and emergency preparedness drills such as patient abductions, Voss says. To identify areas for improvement, monitor staff’s ability to follow procedures when suspicious people are encountered and critique drills involving security issues.
"What we have done is tied safety and security to quality and service," Adams says. "Employee badges with bar codes give us audit trails to review if there is a breach in security. As we renovate our medication rooms, we are assuring secure storage and badge access."
[For more information, contact:
- Darlene Adams, RN, MSN, Director, Quality Management, 1610 10th St., Wichita Falls, TX 76301. Phone: (940) 764-3062. Fax: (940) 764-3629. E-mail: [email protected].
- Kathleen A. Catalano, RN, JD, Director, Regulatory Compliance Services, PHNS Inc., One Lincoln Centre, 5400 LBJ Freeway, Suite 200, Dallas, TX 75240. Phone: (214) 257-7112. Fax: (214) 707-7403. E-mail: [email protected].
- Ann Kobs, Senior Vice President, Accreditation and Standards, TUV Healthcare Specialists, 463 Ohio Pike, Suite 203, Cincinnati, OH 45255. Phone: (513) 947-8343. Fax: (513) 947-1250. E-mail: [email protected]. Web: www.tuvhs.com.
- Michelle H. Pelling, MBA, RN, The ProPell Group, P.O. Box 910, Newberg, OR 97132. Phone: (503) 538-5030. Fax: (503) 538-0115. E-mail: [email protected].
- Pamela R. Voss, FACHE, FASHRM, Director, Risk Management, Round Rock Medical Center, 2400 Round Rock Ave., Round Rock, TX 78681. Phone: (512) 341-5286. Fax: (512) 341-5364. E-mail: [email protected].]
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.